The reality of the Web is that you will never be totally safe – you will take damage. The question is, how are you going to deal with it?

Arnold KwongManaging Director, Extratelligence

Overview

The TIM Lecture Series is hosted by the Technology Innovation Management (TIM) program at Carleton University in Ottawa, Canada. The lectures provide a forum to promote the transfer of knowledge between university research to technology company executives and entrepreneurs as well as research and development personnel. Readers are encouraged to share related insights or provide feedback on the presentation or the TIM Lecture Series, including recommendations of future speakers.

The first TIM lecture of 2014 was presented by Arnold Kwong, Managing Director of Extratelligence, whose lecture described aspects of his organization's research into web infections and protections over a 15-year period. The event was held at Carleton University on February 27th, 2014.

Summary

Kwong began the lecture by describing the key concept underlying the research effort at Extratelligence, which examines emerging threats against computers, networks, and infrastructure by new techniques and attack vectors using the analogy of biological infections and public health to use as a source of methodological treatment and mathematical models for computer-based agents that cause disruption or damage. Over time, the research has explored the strategy, protocols, and futures involved with ongoing countermeasures, conduct of technical practitioners, and the behaviour of the immersive Internet environment we now live in.

Threats, targets, threat vectors, infectious agents, and infections

In the parlance of the research, the process of looking at Internet-based problems, commonly referred to as “viruses”, “malware”, “Trojans”, and the like, considers perpetrators, targets, threat vectors, infectious agents, and infections.

The key lessons learned from the research are:

The infections must be treated like a long-term public health problem.

Infections will continue to occur.

There are no "magic bullet" cures for infected software and hardware.

There are not even techniques that will substantially reduce vulnerabilities.

"Good behaviour" is not enough to protect you from infections.

Infections will spread with astonishing speed on the Internet.

There is no "magic immunity" from infections – even "disconnected" systems can be compromised.

Damage from infections cannot be completely contained by prior planning or techniques.

Data privacy

In the instance of data privacy, the research developed a nomenclature of data privacy breaches, meaning that the data is under the access, control, or administration of other, unintended enterprises or people. This nomenclature has at least two dimensions: i) intentional (i.e., it was given up knowingly) and ii) unintentional (i.e., it was given up unknowingly or without anyone asking). Furthermore, the breach may be "active", meaning the is transmitted out from a source, or "passive", meaning the data was generated with or without the owner's knowledge.

The key lessons learned about data privacy are:

A little paranoia is a good thing.

You living your life will cause data to "seep" – and make money for somebody.

Convenience often trumps privacy in real life.

People will make money by collecting and monetizing your privacy.

You do not have to be a target to have data collected.

Staying "safe" on the Internet is not protective.

Being "off the net" does not mean you have control over information about you.

However, individuals can mitigate their risk through constant vigilance and by not "oversharing" their data. Where possible, individuals should create an use "virtual personas" rather than reveal their own data. Similarly, they should also avoid using other people's computers (e.g., for Google logins). In addition, individuals can take the following technical steps:

1. Firewalls: install and maintain firewalls.

2. Anti-spam and anti-virus solutions: install them and keep them up to date.

3. Web browsers

​Use https where possible (SSL/TLS) (EFF HTTPS Everywhere add-on).

Set "Do Not Track" everywhere.

Close your browser(s) immediately after use (e.g., IE/Safari/Firefox/Opera/Webkit/Chrome/Dolphin).

Two major email marketers (i.e., spammers) will be caught and blacklisted by mid 2016. Spam levels will drop 50% on the Internet for three weeks and then return to their previous levels.

A major infection will break out, affecting systems with more than 1 million web sites before 2016.

Lessons Learned

In the discussions that followed each portion of the presentation, audience members shared the lessons they learned from the presentation and injected their own knowledge and experience into the conversation.

The audience identified the following key takeaways from the presentation:

Current approaches are too expensive and do not work. We need a new way of thinking.

There is a parallel between the Internet and human biological systems: you can recover from some infections, but others will kill you.

Our desire for convenience overcomes our reluctance to give up our data. So, in most cases, people are giving up security and privacy because they choose to; they are weighing the risks and rewards of their economic and emotional interests.

Others are making value off your data, so there must be value there for you.

The single largest threat to our security is the lack of education about the nature of current threats and the levels of risk we face.

We need to raise the general level of awareness. And, for each of us, it begins at home – recognizing the vulnerabilities of our home computers, for example.

Being "off the net" is not enough – you are still vulnerable because others hold data about you.

Next Steps

Finally, the audience was asked to identify practical actions that can be taken at a local level to address the problem presented by the speaker. The audience identified the following next steps:

Seek out analogies from other domains; apply tools and frameworks from those domains to the domain of cybersecurity.

Develop a multidisciplinary course at Carleton University. (This step is already underway as part of the activities of the VENUS Cybersecurity Corporation: [Bailetti et al., 2013], and is scheduled for Summer 2014)

Connect successful local entrepreneurs with up-and-coming entrepreneurs in the cybersecurity domain. Include presentations about each participants future vision of a secure Internet.

Characterize existing business models for cybersecurity and identify opportunities for new business models.

Related articles

The availability of “big data” and “smart” products are credited with advancing solutions to complex problems in medicine, transportation, and education, among others. However, with big data comes big responsibility. The collection, storage, sharing, and analysis of data are far outpacing individual privacy protections, whether technological or legislative. The Internet of Things (IoT), with...

Analyzing “big data” holds huge potential for generating business value. The ongoing advancement of tools and technology over recent years has created a new ecosystem full of opportunities for data-driven innovation. However, as the amount of available data rises to new heights, so too does complexity. Organizations are challenged to create the right contexts, by shaping interfaces and...

New approaches to complex societal challenges require a diverse mix of resources and skillsets from different disciplines to create solutions that are of a transdisciplinary innovation nature. The constructive research method enables the purposeful creation of methods, modules, tools, and techniques that have applicability well beyond the case study that motivated their creation. This research...